The latest iteration of the long-awaited mandatory data breach notification law

Over the past 30 years, Colin has had the unique experience of advising both insurers and managed insurance operations in both general insurance and life insurance related disciplines. As a lawyer he has conducted litigation and advised on policy wordings and compliance issues on behalf of both life and general insurers, reinsurers and insurance brokers, including cyber policies. In the insurance industry he has operational management experience, including managing binding authorities on behalf of both local and Lloyd's underwriters, and has also managed administration agreements and master policy arrangements on behalf of life insurers.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (PA Act)was passed on 13 February 2017 and was assented to on 22 February 2017. This is the latest iteration of the long-awaited mandatory data breach notification law, first floated in 2013 with the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) but which lapsed when Parliament was prorogued before the federal election that same year.

In 2015, the Commonwealth Government released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (2015 Bill) for public submissions, which closed on 4 March 2016. The PA Bill is similar to the earlier 2015 exposure draft but with some notable changes, including:

Unauthorised access, disclosure or loss is not an eligible data breach if

the entity takes action before any serious harm arises, and

as a result, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the affected persons.

The matters to be considered when determining whether a reasonable person would conclude that a breach is likely to result in serious harm. In the PA Bill, the likelihood of persons obtaining the compromised information and having the intent of causing harm as well as the knowledge required to circumvent security technologies is a relevant factor. This is in contrast to the 2015 Bill, which required consideration of whether the compromised information was in a form intelligible to an ordinary person.

Raising the threshold for when a data breach may become notifiable, to situations where a data breach would belikely to result in serious harm—that is, more probable than not. The 2015 Bill provided that a data breach may become notifiable if it resulted in a real risk of serious harm (defined as being a risk that was not a remote risk). This would have potentially resulted in a larger number of notifications, even if the risk of actual harm was relatively low. The PA Bill's explanatory memorandum makes it clear that the legislation does not intend for every data breach to be subject to a notification requirement or for minor breaches to be notified due to the risk of, among other things, notification fatigue.

The amendments to be enacted by the new legislation will come into effect 12 months after assent or on an earlier date fixed by Proclamation—it is possible the amendments could take effect sometime in 2017.

The amendments will require a review of organisations' privacy and compliance programs, including in relation to identifying eligible data breaches and the responsibility for investigating any such breaches, and reviewing third-party processing and storage arrangements, and service contracts to ensure compliance with the reforms.

Failing to comply with the reforms could expose individuals to fines of up to $360,000 and $1.8 million for organisations. It follows that those bound by the Privacy Act 1998 (Cth) should begin working on compliance strategies sooner rather than later.

We would like to acknowledge the contribution of Edward Osborne to this article.